DOL Issues New Cybersecurity Guidance for Plan Sponsors

The need for a robust cybersecurity program is essential to protect personally identifiable information (PII) such as social security numbers, taxpayer identification numbers, financial account information, credit card information, and even physical and email address. Cybercriminals are increasingly looking to exploit IT systems to capture high-value information that can be used or sold to criminals. In 2020, there were over 1,000 data breaches that resulted in the exposure of 155 million records. As cybercriminals become more sophisticated it is essential to ensure maximum protections are in place to protect sensitive benefit plan information. The Department of Labor (DOL) recently issued guidance to ensure plan sponsors are hiring service providers with strong cybersecurity practices. Key questions about cybersecurity practices, past incidents, process validation, cybersecurity insurance coverage, and more are discussed. To help clients, prospects, and others, Wilson Lewis has provided a summary of key details below.

Service Provider Hiring Tips

• Review Practices & Policies – When evaluating providers, it is important to ask about security standards, practices, policies, and audit results. It is important to look for those that follow a recognized standard for data security and use a third-party service to test and validate the effectiveness of existing measures. The test results will build confidence in, and verify that information security, system availability, processing integrity, and confidentiality will be maintained.
• Security Standards – It is important to understand how the provider validates practices and what level of security has been accomplished. For this reason, spend time investigating this information and ask questions when the information is unclear. Finally, look carefully at contract provisions to ensure the plan has the right to review results demonstrating compliance with standards.
• Past Breaches – Inquire about whether past security breaches have been perpetrated. Ask questions about the details of the incident, how the provider responded, and what security measures were changed, updated, or initiated to prevent additional incidents.
• Review Public Information – Do not just rely on what potential providers say about past cybersecurity performance. Review public record information on security incidents, litigation, and other legal proceedings related to the vendor’s services.
• Contractual Cybersecurity Requirements – When reviewing provider contracts, it is important to ensure there is a provision that required ongoing compliance with established standards. Pay special attention to any clauses which limit the provider’s responsibility for security breaches. Consider requiring the following options:
  • Information Security Reporting – This requires the provider to annually obtain a third-party audit to ensure compliance with standards and procedures.
  • Breach Notifications – It should be clearly stated how quickly the plan would be notified of any cyber incident or data breach. Make sure it specifies cooperation from the provider in an investigation and resolution of the exposed issue.
  • Insurance – Some may choose to require insurance coverage such as cyber liability, privacy breach, and bond/blanket crime coverage. Pay special attention to the coverage terms and limits to ensure it provides the proper amount of protection necessary.
  • Use and Sharing of Information and Confidentiality – The contract should identify the provider’s obligation to protect private information, prevent the disclosure of confidential information (unless written permission is obtained) and ensure processes exist to protect confidential information against unauthorized use.

Contact Us

Atlanta plan sponsors have an important responsibility to ensure hired providers have adequate cybersecurity measures, safeguards, and insurance in place to protect plan data. If you have questions about the information outlined above or need assistance with a benefit plan audit, Wilson Lewis can help. For additional information call us at 770-476-1004 or click here to contact us. We look forward to speaking with you soon.